> For the complete documentation index, see [llms.txt](https://gitbook.cdxiaodong.life/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.cdxiaodong.life/cicd-an-quan/github-an-quan/releases.md). # 发布版本 ## 概述 GitHub 提供发布功能,作为发布打包软件迭代的方式。发布包括源代码的压缩快照,如 `.zip` 和 `.tar.gz` 文件。此外,GitHub 允许您添加可以在创建或编辑发布时附加的额外文件。而且,这些额外文件可以在发布创建后被修改。 要重现此问题,请按照以下步骤: 1. 在 GitHub 上创建一个公共仓库 2. 创建一个发布并添加 `test.sh` 文件 3. 邀请一个 `attacker` 用户作为协作者 4. `attacker` 可以编辑发布并修改 `test.sh` 文件 5. 在 GitHub UI 中没有指示显示发布已被修改 换句话说,攻击者可以入侵任何项目协作者的账户并在项目所有者不知情的情况下修改发布。这可能的原因如下: 1. 发布资源可以在初始发布后修改(不包括源代码快照) 2. 任何项目协作者都可以修改发布。没有权限允许所有者防止发布被更改 3. UI 不通知或指示发布已被修改([发布 API](https://docs.github.com/en/rest/reference/repos#releases) 公开有关发布资源的附加信息) 4. 如果 git 提交已验证,则显示 `verified` 标志(这仅适用于源代码快照,不适用于额外文件) ## 参考资料 * [文章:通过 GitHub.com 发布进行的供应链攻击](https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.cdxiaodong.life/cicd-an-quan/github-an-quan/releases.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.